Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Video Conferencing dropouts behind a Sonicwall

With the explosion of people using Teams / Zoom etc for video conferencing while working remotely, we hit an issue with some customers when users started returning into the office, with video and audio dropouts.

This really confused me as I have had no issues behind my firewall at home, nor have we had issues in the office.

Both customers that reported this are fairly big with 100mb+ leased line connections.

After a lot of testing, it appears that there are some changes that are required:

No.1 – UDP Flood Protection is what was killing both – I increased both customer firewalls from 1000 UDP Packets/sec to 10,000 – this resolved most of the issues

No.2 – Teams primarily talks to ports 80/443 as destination ports, so impossible to add exclusions… therefore, you need to add the listed source ports as provided by Microsoft.

Service Objects:

Teams Audio – TCP & UDP – 50000 – 50019

Teams Video – TCP & UDP – 50020 – 50039

Teams Sharing – TCP & UDP – 50040 – 50059

Teams UDP – 3478-3481

 

Create a Teams Service Group containing the above

 

Create an Access Rule:

Local Zone -> WAN

Source Port – Teams

Service - Any

Destination – Any


Advanced Tab – Disable DPI

Access rule required for each zone required to use Video / Audio


This should resolve any issues they may have. I’ve only tested the above with Teams and Zoom… but could resolve for others too.

Category: Firewall Security Services
Reply

Comments

  • shiprasahu93shiprasahu93 Moderator

    Thanks for sharing this @justin. I will try to see if this can be added as a KB article.

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • fmadiafmadia Moderator
    edited July 9

    Hi @justin,

    thanks for sharing this tip. I do agree that Teams had some issues lately not just with SonicWall but with multiple firewall vendors due to the number of packets sent per second - this is a good thing when you're not behind a firewall as it increases the quality however it can overload the network devices as well.

    This is a change applied by Microsoft and it can be fixed by increasing the number of packets/sec in the UDP Flood Protection. Disabling DPI may be at times extreme as the SonicWall won't be able to analyze the traffic shared on Teams however I'd recommend to disable it only for the video/audio streaming ports (it's still good to analyze files downloaded or shared there).

    Francesco Madia

  • shiprasahu93shiprasahu93 Moderator

    Hello @justin,

    I was caught up with some other stuff and finally got a chance to revisit this. I have added the KB article for this topic as below:

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • RedNetRedNet Newbie ✭

    @fmadia Your point on disabling DPI is accurate but the Sonicwall OS could be better at helping admins create more security conscious rules when absolutely having to disable DPI. Having built in dynamic objects for the major cloud vendors and their services would really help here, like what other firewall vendors already have. If the Sonicwall could dynamically download the IP ranges for major cloud services like o365 email/teams etc and the Sonicwall admin could leverage this in his rule.

    I am amazed this isnt in the OS yet as it compliments application control very well.

  • justinjustin Newbie

    Hi @shiprasahu93, I just noticed in the KB article there's no mention of the Teams ports having to be Source ports, not destination. Teams works primarily on ports 80 and 443 as destination ports, so the Access Rules must be added as Source.

    Thanks


    Justin

  • shiprasahu93shiprasahu93 Moderator

    @justin,

    So, the clients establish a HTTP/HTTPS connection, post which the ports mentioned can be used for specific functionality like audio, video, sharing etc. The service is actually the destination ports and the response on them will use those as source ports.

    Again WAN to LAN access rule will get triggered only when the traffic is initiated from outside. With the traffic initiated from LAN, the response on them with trigger that LAN to WAN rule as well for the destination ports set to the concerned ports. I did not want to pin point on how the access rule should be created as that can be different for a specific application.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

Sign In or Register to comment.